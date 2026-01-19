In cybersecurity, the line between a normal update and a serious incident keeps getting thinner. Systems that once felt reliable are now under pressure from constant change. New AI tools, connected devices, and automated systems quietly create more ways in, often faster than security teams can react. This week's stories show how easily a small mistake or hidden service can turn into a real break-in.

Behind the headlines, the pattern is clear. Automation is being used against the people who built it. Attackers reuse existing systems instead of building new ones. They move faster than most organizations can patch or respond. From quiet code flaws to malware that changes while it runs, attacks are focusing less on speed and more on staying hidden and in control.

If you're protecting anything connected—developer tools, cloud systems, or internal networks—this edition shows where attacks are going next, not where they used to be.

⚡ Threat of the Week

Critical Fortinet Flaw Comes Under Attack — A critical security flaw in Fortinet FortiSIEM has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-64155 (CVSS score: 9.4), allows an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests. In a technical analysis, Horizon3.ai described the issue as comprising two issues: an unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user, and a file overwrite privilege escalation vulnerability that leads to root access and complete compromise of the appliance. The vulnerability affects the phMonitor service, an internal FortiSIEM component that runs with elevated privileges and plays an integral role in system health and monitoring. Because the service is deeply embedded in FortiSIEM's operational workflow, successful exploitation grants attackers full control of the appliance.

🔔 Top News

VoidLink Linux Malware Enables Long-Term Access — A new cloud-native Linux malware framework named VoidLink focuses on cloud environments, providing attackers with a wide assortment of custom loaders, implants, rootkits, and plugins that are designed for additional stealth and for reconnaissance, privilege escalation, and lateral movement inside a compromised network. The feature-rich framework is engineered for long-term access, surveillance, and data collection rather than short-term disruption, allowing an operator to control agents, implants, and plugins via a web-based dashboard localized for Chinese users. Key to the malware's architecture is to "automate evasion as much as possible" by profiling a Linux environment and intelligently choosing the best strategy for operating without detection. Indeed, when signs of tampering or malware analysis are detected on an infected machine, it can delete itself and invoke anti-forensics modules designed to remove traces of its activity. It's fitted with an "unusually broad" feature set, including rootkit-style capabilities, an in-memory plug-in system for extending functionality, and the ability to adjust runtime evasion based on the security products it detects. VoidLink draws inspiration from Cobalt Strike, an adversary simulation framework that has been widely adopted and misused by attackers over the years. It's believed to be the work of Chinese developers. "Together, these plugins sit atop an already sophisticated core implementation, enriching VoidLink's capabilities beyond cloud environments to developer and administrator workstations that interface directly with those cloud environments, turning any compromised machine into a flexible launchpad for deeper access or supply-chain compromise," Check Point said. "Its design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers." However, its intended use remains unclear, and no evidence of real-world infections has been observed, which supports the assumption that the modular malware was created "either as a product offering or as a framework developed for a customer."

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week's most serious security flaws. Check them, fix what matters first, and stay protected.

This week's list includes — CVE-2025-20393 (Cisco AsyncOS Software), CVE-2026-23550 (Modular DS plugin), CVE-2026-0227 (Palo Alto Networks PAN-OS), CVE-2025-64155 (Fortinet FortiSIEM), CVE-2026-20805 (Microsoft Windows Desktop Window Manager), CVE-2025-12420 (ServiceNow), CVE-2025-55131, CVE-2025-55131, CVE-2025-59466, CVE-2025-59465 (Node.js), CVE-2025-68493 (Apache Struts 2), CVE-2026-22610 (Angular Template Compiler), CVE-2025-66176, CVE-2025-66177 (Hikvision), CVE-2026-0501, CVE-2026-0500, CVE-2026-0498​, CVE-2026-0491 (SAP), CVE-2026-21859, CVE-2026-22689 (Mailpit), CVE-2026-22601, CVE-2026-22602, CVE-2026-22603, CVE-2026-22604 (OpenProject), CVE-2026-23478 (Cal.com), CVE-2025-14364 (Demo Importer Plus plugin), CVE-2025-14502 (News and Blog Designer Bundle), CVE-2025-14301 (Integration Opvius AI for WooCommerce plugin), CVE-2025-52493 (PagerDuty Runbook), CVE-2025-55315 (ASP.NET Core Kestrel server), CVE-2026-20965 (Microsoft Windows Admin Center), and CVE-2025-14894 (Livewire Filemanager).

📰 Around the Cyber World

Unpatched Flaw in Livewire Filemanager — An unpatched security flaw was disclosed in Livewire Filemanager, a file manager component for Laravel-based websites that allows file uploads. The vulnerability (CVE-2025-14894, CVSS score: 7.5) can permit threat actors to upload malicious PHP files to a remote server and trigger its execution. "When a user uploads a PHP file to the application, it can be accessed and executed by visiting the web-accessible file hosting directory," the CERT Coordination Center (CERT/CC) said. "This enables an attacker to create a malicious PHP file, upload it to the application, then force the application to execute it, enabling unauthenticated arbitrary code execution on the host device."

🎥 Cybersecurity Webinars

How Top MSSPs Are Using AI to Grow in 2026: Learn Their Formula — By 2026, MSSPs are under pressure to do more with less, and AI is becoming the edge that separates those who scale from those who stall. This session explores how automation reduces manual work, improves margins, and enables growth without adding headcount, with real-world insights from Cynomi founder David Primor and Secure Cyber Defense CISO Chad Robinson on turning expertise into repeatable, high-value services.

— By 2026, MSSPs are under pressure to do more with less, and AI is becoming the edge that separates those who scale from those who stall. This session explores how automation reduces manual work, improves margins, and enables growth without adding headcount, with real-world insights from Cynomi founder David Primor and Secure Cyber Defense CISO Chad Robinson on turning expertise into repeatable, high-value services. Stop Guessing Your SOC Strategy: Learn What to Build, Buy, or Automate — Modern SOC teams are overloaded with tools, noise, and promises that don't translate into results, making it hard to know what to build, buy, or automate. In this session, AirMDR CEO Kumar Saurabh and SACR CEO Francis Odum cut through the clutter with a practical, vendor-neutral look at SOC operating models, maturity, and real-world decision frameworks—leaving teams with a clear, actionable path to simplify their stack and make their SOC work more effectively.

🔧 Cybersecurity Tools

AuraInspector — It is an open-source tool for auditing Salesforce Experience Cloud security. It helps find misconfigurations that could expose data or admin functions by checking accessible records, self-registration options, and hidden "home URLs." The tool automates much of the testing, including object discovery through GraphQL methods, and works in both guest and authenticated contexts. It's a research utility, not an official Google product, designed to make Salesforce Aura security testing faster and more reliable.

Maltrail — It is an open-source tool for detecting malicious network traffic. It compares network activity against known blacklists of suspicious domains, IPs, URLs, and user agents linked to malware or attacks, and can also flag new threats using heuristics. The system uses sensors to monitor traffic and a central server to log and display events through a web interface, helping identify infected hosts or abnormal activity in real time.

Disclaimer: These tools are for learning and research only. They haven't been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

Conclusion

The message is clear. Today's threats aren't just single break-ins. They come from connected weak spots, where one exposed service or misused tool can affect an entire system. Attackers don't see cloud platforms, AI tools, and enterprise software as separate. They see one shared space. Defenders need to think the same way, treating every part of their environment as connected and worth watching all the time, not just after something goes wrong.

What happened this week isn't unusual. It's a warning. Every update, setting, and access rule matters, because the next attack will likely begin from something already inside. This recap shows how small gaps turned into big openings—and what's being done to close them before the next round begins.